Integrate SecurityScorecard with the Splunk security information and event management (SIEM) tool to use Scorecard data in the Splunk platform and enhance security and risk insights. The integration is compatible with both Splunk Cloud and Splunk Enterprise.
The integration uses three data components from the SecurityScorecard platform:
- SecurityScorecard's overall letter-grade security ratings, which enable you to quickly understand the cybersecurity posture of an organization.
- SecurityScorecard's underlying factor data in key risk categories, including Application Security, IP Reputation, Patching Cadence, Network Security, Hacker Chatter, Social Engineering, and Information Leak. Each factor is predictive. For example, organizations with a C, D, or F rating in Social Engineering are more than 400 percent more likely to experience a data breach than those with an A or B rating.
- SecurityScorecard issue-related data, which offers critical data points across more than 80 issue types not available from any other security ratings provider.
You can monitor your own Scorecard, third-party Scorecards, or both. Once installed, the add-on pulls scores and issue-level event information daily and logs them to Splunk. Use Splunk to search, visualize, create alerts, and take action to monitor your own cybersecurity risk and the risk posed by your third parties.
Set up the integration
Create a bot user with an API token
Note: If you do not have administrative permissions in SecurityScorecard, ask an administrator to create the user and API token for you.
- In SecurityScorecard, click your profile avatar and select My Settings.
- Select People Management and click Invite people.
- Select the Check to create a bot user box. This prevents a scenario where a human user's expired API token causes the integration to stop working.
- Name the bot user and set the Access Level to Read Only. Then click Add User.
- Click None in the API column and then select Create API token.
- Copy the API token and click Done.
Install the SecurityScorecard components
The SecurityScorecard integration includes two components:
- The add-on connects SecurityScorecard data to Splunk. It can be used on its own if you only need the raw data or want to create your own dashboards.
- The app provides pre-built dashboards for visualizing and exploring the data pulled in by the add-on. The app requires the add-on to function.
Install both components unless you specifically need only the raw data feed.
- In Splunk, select Find More Apps on the main page.
- Search for SecurityScorecard and install both the add-on and the app.
Configure the add-on
First, configure the add-on, as it pulls data from SecurityScorecard.
- Select the add-on from the Apps drop-down menu at the top of the navigation.
- Select the Configuration tab.
- Click Add to create a new set of credentials.
- Enter your API token in the dialog and save.
- Select the Inputs tab.
- Click Create New Input to open a configuration dialog.
- Fill in the configuration fields:
- Name — Create a unique name for this configuration set.
- Interval — Set how often data is pulled, in seconds. The default is 86400 seconds because SecurityScorecard generates new data once a day.
- Index — Specify the index to log SecurityScorecard data to.
- Your Domain — Enter your organization's domain name for self-monitoring.
- Global Account — Enter the account configured in the preceding steps.
- SecurityScorecard API URL — Enter the URL, typically https://api.securityscorecard.io/.
-
PortfolioId — To monitor third parties, enter a comma-separated list of portfolio IDs from SecurityScorecard. Enter all to collect from all monitored organizations.
Tip: You can copy a portfolio ID from the address bar when viewing a portfolio in the SecurityScorecard platform.
- Click Add.
Configure the app
- Select the app from the Apps dropdown menu at the top of the navigation.
- Click Continue to app setup page.
- Select your organization's domain from the dropdown list and click Save.
Start using the integration
Once configured, the integration automatically pulls data from SecurityScorecard daily. The following dashboards are available:
- My Scorecard displays the top-level score and grade, score trend, factor scores, and issues for your domain.
- Vendor Scores show scores for all vendors in the configured portfolios, including top-level grade, score, and factor information for each company, as well as their active issues. Filter by portfolio, company, and industry.
- Active Issues shows a summary of active issues within a specified timeframe, with one table by factor and another by severity. Filter by portfolio, company, factor, and industry.
- Vendor Issues displays issues for each vendor, including common vulnerability enumerations (CVEs) and ransomware. Filter by relevance.
- Spotlight shows the 10 companies with the lowest scores and the 10 most critical issues, along with a summary of the most common issues. Filter by company, portfolio, factor, and industry.
For all dashboards, you can select columns and generate searches. In some cases, selecting a table row links to SecurityScorecard for more information.
Learn more
Get help
If you need help or have questions about the integration, contact the Splunk support team.
FAQ
Is the Splunk add-on using the correct version of jQuery?
Yes, the add-on uses jQuery 3.5, which is the version required by Splunk.
Why does the Splunk integration show a date two to three days older than today?
This is expected behavior. The date two to three days older than the current date represents the current scoring date. When the history events endpoint is called, it returns data from the previous two or three days.
Note: The integration does not omit or miss delayed data. It eventually posts the data.